« previous next »
Pages: [1]   Go Down

Author Topic: Why downloading KMSPico is not a good idea....  (Read 4282 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33897
  • malware fighter
Why downloading KMSPico is not a good idea....
« on: July 18, 2017, 12:22:52 AM »
Read the discussion here: https://www.reddit.com/r/Piracy/comments/43itah/is_kmspico_windows_activator_safe/
Windows Defender will alert in defense of DRM legislation. The software is being frowned upon because of DRM issues etc. Do not use illegit softwares/torrenting. Better safe then sorry.

Then there are issues to suppose the website coders there aren't top class either:

I checked the download site for all of ye and the results are certainly not encouriging.
The Comodo cert. seems properly installed, but issue here with a jQuery library:
http://retire.insecurity.today/#!/scan/47c0ee465ba5734572118d1246d5abb3991d645330bd18416d7598c8275322c3

A meagre F-status here: https://observatory.mozilla.org/analyze.html?host=www.kmspico4u.com
and recommendations, no HSTS and more missing.

Site was made with Word Press CMS, and there the real CMS tragedy starts.
Word Press version outdated: 4.7.5
Outdated plug-ins:
WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.

si-captcha-for-wordpress 3.0.0.16   latest release (3.0.0.20) Update required
https://wordpress.org/plugins/si-captcha-for-wordpress/
contact-form-7 4.7   latest release (4.8) Update required
https://contactform7.com/

Warning User Enumeration is possible
The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   riponzm21   riponzm21
2   Arshad Khan   kmspico
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Warning Directory Indexing Enabled
In the test we attempted to list the directory contents of the uploads and plugins folders to determine if Directory Indexing is enabled. This is an information leakage vulnerability that can reveal sensitive information regarding your site configuration or content.

/wp-content/uploads/ enabled

B-Status: https://sritest.io/#report/e83f22fc-30c6-4bea-84e6-751e279fd3a1

polonus (volunteer website security analyst and website error-hunter)
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »